Citrix disclosed Friday that foreign cybercriminals hacked into its internal network and may have accessed and downloaded business documents.
Security firm Resecurity wrote that it warned Citrix of the attack on December 28th, 2018, and that the attack was likely timed to coincide with Christmas holidays. The firm attributed the attack to an Iranian group called "IRIDIUM" and says it made off with "at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement."
Citrix said it was contacted by the FBI on March 6th, and told there was reason to believe there had been a successful cyberattack on the company's network, according to a March 8th blog post by Stan Black, Citrix's chief security and information officer. It doesn't appear the security of any Citrix product or service was compromised, according to Black.
"It appears that the hackers may have accessed and downloaded business documents," Black wrote. "The specific documents that may have been accessed, however, are currently unknown."
The FBI advised Citrix that the hackers likely used a tactic known as password spraying, where the threat actor tries a single commonly used password against many accounts. If unsuccessful, additional common passwords will be tried until the accounts are accessed. Once the hackers gained a foothold with limited access, Black said they worked to circumvent additional layers of security.
Resecurity's posts says the incident "has been identified as a part of a sophisticated cyberespionage campaign supported by nation-state due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."
Citrix took actions to re-secure its internal network and has commenced a forensic investigation into the breach, Black said. Specifically, the company is continuing to cooperate with the FBI and has engaged a outside cybersecurity firm to assist.
"Citrix is moving as quickly as possible, with the understanding that these investigations are complex, dynamic and require time to conduct properly," Black said. "In investigations of cyber incidents, the details matter, and we are committed to communicating appropriately when we have what we believe is credible and actionable information."
The breach disclosure comes just three days after Citrix updated its SD-WAN offering to help enterprises to administer user-centric policies and connect branch employees to applications in the cloud with greater security and reliability. The product is intended to simplify branch networking by converging WAN edge capabilities and defining security zones to apply different policies for different users.